Reputation: 991
Scanning Rest API's through OWASP zap inside a docker environment
I set an Azure devops CI/CD build that will start a vm where Owasp Zap is running as a proxy and where the Owasp zap Azure devops task will run on a target url and copy my report in an Azure Storage.
Followed this guy's beautiful tutorial: https://kasunkodagoda.com/2017/09/03/introducing-owasp-zed-attack-proxy-task-for-visual-studio-team-services/ (also the guy who created the Azure devops task)
All well and good but recently I wanted to use an REST Api as a target url. The Owasp zap task in azure devops doesn't have the ability. Even asked the creator (https://github.com/kasunkv/owasp-zap-vsts-task/issues/30#issuecomment-452258621) and he also didn't think this is available through the Azure devops task and only through docker.
On my next quest I am now trying to get it running inside a docker image. (Firstly inside Azure devops but that wasn't smooth https://github.com/zaproxy/zaproxy/issues/5176 ) And finally getting on this tutorial (https://zaproxy.blogspot.com/2017/06/scanning-apis-with-zap.html)
Where I am trying to run a docker image with the following steps:
--- docker pull owasp/zap2docker-weekly
--running the container
-------command : docker run -v ${pwd}:/zap/wrk/:rw -t owasp/zap2docker-weekly zap-api-scan.py -t https://apiurl/api.json -f openapi -z "-configfile /zap/wrk/options.prop"
------- options.prop file
-config replacer.full_list\(0\).description=auth1 \
-config replacer.full_list\(0\).enabled=true \
-config replacer.full_list\(0\).matchtype=REQ_HEADER \
-config replacer.full_list\(0\).matchstr=Authorization \
-config replacer.full_list\(0\).regex=false \
-config replacer.full_list\(0\).replacement=Bearer xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
But This scans only the root url not every URL. As I am typing this question i tried to download the json file from the root and running the docker run command with passing the json file with the -t I am getting number of imported url's : what seems to be everything. But this seems to freeze inside powershell.
Which step do i miss to get a full recursive scan on my rest api ? Any one some ideas or some help pls ?
Upvotes: 3
Views: 3309
Answers (1)
Reputation: 6196
Firstly, your property file format is wrong. You only need the '-config' and '\'s if you set the options directly on the command line. In the property file you should have:
replacer.full_list(0).description=auth1
replacer.full_list(0).enabled=true
replacer.full_list(0).matchtype=REQ_HEADER
replacer.full_list(0).matchstr=Authorization
replacer.full_list(0).regex=false
replacer.full_list(0).replacement=Bearer xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Secondly, what does https://apiurl/api.json return and have you checked you can access it from within your docker container? Try running
curl https://apiurl/api.json
and see what you get.
Upvotes: 2
Related Questions
- ZAP active scan works in desktop but fails in docker image with url_not_in_context error
- Scanning APIs with ZAP Docker image - How to provide Bearer Token?
- How to run ZAP Scan to scan another container
- Zap docker - Active scan
- How to intercept and modify the response to a docker using owasp zap
- OWASP Zap Docker scan spidering out-of-scope items
- OWASP ZAP docker returns 'Connection refused' when running active-scan
- How to run OWASP Zed Attack Proxy ZAP's zap-api-scan.py without requiring docker
- Configuration of Owasp Zap on Azure Container Instances
- Pass login parameters to scan with owasp zap on docker command